<html>
	<head>
		<title>Web Access Control Design</title>
	</head>
	<body>
		<?php

		/*
		* check if use HTTPS
		* @return bool
		*/
		function is_SSL(){
			if(!isset($_SERVER['HTTPS']))
			return FALSE;
			if($_SERVER['HTTPS'] === 1){  //Apache
				return TRUE;
			}elseif($_SERVER['HTTPS'] === 'on'){ //IIS
				return TRUE;
			}elseif($_SERVER['SERVER_PORT'] == 443){ //other
				return TRUE;
			}
			return FALSE;
		}


		// Connects to DB
		include("connectDB.php");

		//Checks if there is a login cookie
		if(isset($_COOKIE['c4707p1_id']))		{
			header("Location: logout.php");
		}
		//if the login form is submitted
		if (isset($_POST['submit'])) { // if form has been submitted
			// makes sure they filled it in
			if(!$_POST['username'] ) {
				die('Error: empty user name.');
			}else if(!$_POST['pass']){
				die('Error: no password entered.');
			}
			// checks it against the database
			$result = mysql_query("SELECT * FROM users WHERE username = '".$_POST['username']."'")or die(mysql_error());
			//Gives error if user dosen't exist
			//$check2 = mysql_num_rows($check);
			if (mysql_num_rows($result) == 0) {
				die('The username does not exist. Click <a href=createuser.php>here</a> to register');
			}

			while($entry = mysql_fetch_array($result))
			{
				$_POST['username'] = stripslashes($_POST['username']);
				$_POST['pass'] = stripslashes($_POST['pass']);
				$entry['salt'] = stripslashes($entry['salt']);
				$_POST['pass'] = crypt($_POST['pass'], $entry['salt']);
				
				if(!is_SSL()){ 
					die('The website can only be access through HTTPS connection!');
					
				}elseif ($entry['password'] != $_POST['pass']) {
					die('Incorrect password, please try again.');
					
				}else {
					echo "Login successful! Please wait to redirect to the content page...";					
					
					$expire = time() + 300; //5 min limit
					
					setcookie('c4707p1_username', $_POST['username'], $expire, '/~jin/', '.compsec2.engr.uconn.edu', 1);
					setcookie('c4707p1_exptime', $expire, $expire, '/~jin/', '.compsec2.engr.uconn.edu', 1);
					
					$data = $_POST['username'].$_POST['pass'].$expire;
					$data =  crypt($str, $entry['salt']);
					setcookie('c4707p1', $data, $expire, '/~jin/', '.compsec2.engr.uconn.edu', 1);

					//redirect to corresponding area
					if (1 == $entry['isAdmin']){
						//header("Location: admin1.php");
						header("Refresh: 1; url = 'admin1.php");
					}else if (0 == $entry['isAdmin']){
						header("Refresh: 1; url = 'user1.php");
					}
				}
			}
		}
		else{
			// if they are not logged in
			?>
			<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post">
				<table border="0">
					<tr>
						<td colspan=2>
							<h1>System Login Page</h1>
						</td>
					</tr>
					<tr>
						<td>Username:</td>
						<td>
							<input type="text" name="username" maxlength="30">
						</td>
					</tr>
					<tr>
						<td>Password:</td>
						<td>
							<input type="password" name="pass" maxlength="30">
						</td>
					</tr>
					<tr>
						<td colspan="2" align="right">
							<input type="button" id="reg" value="Register" onclick="parent.location='createuser.php'" />
							<input type="submit" name="submit" value="Login">
						</td>
					</tr>
				</table>
			</form>
			<?php
		}
		?>
	</body>
</html>
